Collecting logs from Read only Domain Controller
Hi Guys,
I have been trying to do some research on whether if I collect logs (from Application, System and Security), especially Security logs from a Read only Domain Controller (RODC), is there any possibility that I will be collecting logs duplicate logs since I have already collected the logs from the main Domain Controller (DC)?
I am not really sure how the read only domain controllers work but I am assuming they will read and store Active Directory data from the main Domain Controller and then a client will send its request to the RODC. On the other hand I suspect that the data that will be exchanged between the 2 DC will not show in the logs but the actual request by the client to the RODC will be logged as an event on the RODC which will also pass this data to the main DC.
Any advice on the best approach for an environment that has for example 4 main DCs and 4 RODC, if you were to collect security logs from all the DC and RODC is there a possibility of duplicates? I am eventually going to have to collect the security logs from the RODC because there is also other applications that will log their activity there but my main concern is I will also need to find a way of dealing with duplicates if there is any.
I have been trying to do some research on whether if I collect logs (from Application, System and Security), especially Security logs from a Read only Domain Controller (RODC), is there any possibility that I will be collecting logs duplicate logs since I have already collected the logs from the main Domain Controller (DC)?
I am not really sure how the read only domain controllers work but I am assuming they will read and store Active Directory data from the main Domain Controller and then a client will send its request to the RODC. On the other hand I suspect that the data that will be exchanged between the 2 DC will not show in the logs but the actual request by the client to the RODC will be logged as an event on the RODC which will also pass this data to the main DC.
Any advice on the best approach for an environment that has for example 4 main DCs and 4 RODC, if you were to collect security logs from all the DC and RODC is there a possibility of duplicates? I am eventually going to have to collect the security logs from the RODC because there is also other applications that will log their activity there but my main concern is I will also need to find a way of dealing with duplicates if there is any.
Comments
In short: grab logs from all your DCs.
2020 Goals: 70-744, Azure
Completed: MCSA 2012 (01/2016), MCSE: Cloud Platform and Infrastructure (07/2017), MCSA 2017 (09/2017)
Future Goals: CISSP, CCENT
MCSE | MCSA X3 | Security + | Network +
Want more fun than you can handle? IIS logs are notoriously difficult to capture and parse in human readable format. I am looking you AWS. IIS is a flat file not a full expression file like you'd expect. This is another possible instance where you may have to look at the RODC.
- b/eads